How does Texas HB 300 Expand Individual Privacy Protections?

by

Texas HB 300 expands individual privacy protections by amending the Texas Medical Records Privacy Act in Texas Health and Safety Code Chapter 181 to apply medical privacy obligations to a broader range of organizations than HIPAA, restrict certain disclosures of electronic protected health information to narrower categories unless the individual authorizes the disclosure, impose Texas-specific training and notice duties, and add state breach reporting and penalty consequences that operate in addition to federal enforcement.

HB 300 extends coverage beyond HIPAA Covered Entities and many HIPAA Business Associates by treating any person or organization that assembles, collects, analyzes, uses, evaluates, stores, or transmits protected health information of a Texas resident as a covered entity under Texas law, including entities located outside Texas when they handle Texas resident information. This expansion increases the number of regulated handlers of health information and increases the settings in which an individual’s information is regulated.

HB 300 narrows the circumstances in which electronic protected health information may be disclosed without an authorization by limiting permissible electronic disclosures to treatment, payment, health care operations, and certain insurance or health maintenance organization operations, while HIPAA permits additional categories of disclosures in defined situations. Covered entities subject to HB 300 must also provide a notice describing limitations on electronic disclosures when the law applies.

Accredited HIPAA Certification

HB 300 strengthens control over monetization and marketing uses of protected health information by requiring authorization for marketing uses and by limiting remuneration for the sale of protected health information to cost-based amounts when a sale is permitted under the Texas framework.

HB 300 adds workforce obligations by requiring training on state and federal protected health information laws within the statutory onboarding timeframe and requiring employee attestation of completion. HB 300 also ties privacy compliance to Texas breach notification requirements, including reporting to the Texas Attorney General when a breach affects the state reporting threshold, and it authorizes Texas enforcement penalties that can be assessed separately from HIPAA civil enforcement.

James Keogh

James Keogh has been writing about the healthcare sector in the United States for several years and is currently the editor of HIPAAnswers. He has a particular interest in HIPAA and the intersection of healthcare privacy and information technology. He has developed specialized knowledge in HIPAA-related issues, including compliance, patient privacy, and data breaches. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681 or email directly at [email protected]